Encryption system used in Maltego Graph (Browser) and Maltego Cases uses an encryption mechanism that prohibits anyone, including Maltego, from obtaining information about user-created graphs.
It is recommended that the Organization Admin enables the mandatory encryption for their Organization in Maltego Admin settings. Otherwise, each user needs to encrypt Click here for more details.
How does encryption in Maltego Graph (Browser) work?
Maltego Graph (Browser) uses a four-layered encryption system with a combination of RSA and AES encryption algorithms.
RSA (Rivest-Shamir-Adleman) encryption is similar to a mailbox with a pair of keys where anyone can drop a letter in, but only the user can open it. The key pair are the public key, which people can use to send (encrypt) the user mail, and a private key that only the user can access to unlock (decrypt) the mailbox and read the messages.
AES (Advanced Encryption Standard) is a lockbox with one key that is used to both lock (encrypt) and unlock (decrypt) data.
RSA and AES are used in a multi-layered encryption system of Maltego graphs, as illustrated in the image below.
Layer 1: user-managed Master Password is used to encrypt and decrypt your RSA private key.
- An AES key is derived from the Master Password and used to encrypt the Private Key
Layer 2: asymmetric encryption with an RSA key pair is used to encrypt and decrypt the Case Key.
- RSA key pair includes a private key and a public key.
- The public key encrypts the Case Key that is used to access the contents of the case. The key is managed by Maltego.
- The private key decrypts the Case Key. It is managed by Maltego, encrypted with the Master Password, which ensures that only the user can decrypt the Case Key.
Layer 3: Case Key AES symmetric encryption.
- The Case Key is a randomly generated AES key used to encrypt and decrypt the Graph Key.
- The Case Key is encrypted using the RSA public key and stored on Maltego’s servers. However, since Maltego does not have access to the users’ private key, it cannot decrypt users’ Case Keys.
- The user has a choice to encrypt or not encrypt the case in Maltego Cases. Encrypting the case is necessary if the user wants to have the graphs within the case encrypted.
Layer 4: Graph Key AES symmetric encryption.
- The Graph Key is a randomly generated AES key used to encrypt and decrypt the graph file.
- The Graph Key is encrypted using the AES Case Key and stored on Maltego’s servers.
- The graph file is cryptographically hashed to ensure its integrity including the unencrypted structural data.
Please note that graphs are only encrypted if the user chooses to encrypt the case at the time of its creation.
Who generates the encryption keys, and where are they stored?
Encryption keys, both public and private, case keys, and graph keys are automatically generated and stored in the Graph Store on Maltego’s servers. The private key is encrypted with the Master Password set and stored by the user ensuring that no one apart from the user can decrypt it. The Master Password is stored by the user on the user’s device.
Whenever a user tries to access the graph from a new device, Maltego Graph (Browser) retrieves the Key Pair, asks the user for the Master Password, and decrypts the Private Key.
Can the user store the private key on their own device?
Yes, users can store the private key on their own device by inputting the following into the command line on the user’s device:
# Generate 4096-bit RSA Private Key
openssl genrsa -out key.pem 4096
# Extract the public key
openssl rsa -in key.pem -outform PEM -pubout -out public.pem
What Maltego can and cannot see in encrypted user graphs?
Maltego can see:
- Entity ID (unique identifiers that are assigned to each Entity on the graph)
- Entity types
Maltego cannot see:
- Entity values
- Property values
- Link Property values connecting the Entities
Maltego only retains structural information about Entities such as their types, IDs and how Entities are linked to each other.
Are your encryption methods compliant with industry standards?
Yes, the encryption algorithms used by Maltego comply with industry standards and are endorsed by organizations such as NIST, BSI, OWASP, or a combination of them.
Maltego uses the following specific encryption algorithms:
- Symmetric Encryption: AES-256 GCM
- Asymmetric Encryption: RSA-OAEP-4096
- Key Derivation: PBKDF2 with HMAC-SHA-256 and 600,000 iterations
- Message Authentication: GMAC-256
The system was further evaluated through a penetration test conducted by an external security company.
How does encryption work when graphs are shared with collaborators?
Encrypted graphs are nested within encrypted cases. When a user wants to share an encrypted graph with a collaborator, they need to share the case in Maltego Cases.
The graph below illustrates how cases stay encrypted when shared across the organization.
When Alice wants to share a case with Bob:
- Alice invites Bob to an encrypted case in Maltego Cases
- Maltego Graph requests Alice’s Case Key from the Graph Store
- Maltego Graph retrieves Bob’s public key from the Graph store
- Maltego Graph decrypts the Case key with Alice’s private key
- Maltego Graph uses Bob's Public Key to encrypt the Case Key
- The encrypted Case Key is stored in the Graph Store with reference information
When Bob wants to access a case shared by Alice:
- Maltego Graph requests the encrypted Case Key from the Graph Store
- Maltego Graph uses Bob’s Private Key to decrypt the Case Key
- Bob can now access the shared encrypted case with the Case Key.